Unusual Statistics - Cisco PIX
Hi there, I have been trialling the Firewall Analyzer as a tool for investigating internet abuse on our corporate network. My initial impressions of the product are good but there is something that is bugging me about the way sent/receive statistics are displayed.
Basically, the UI displays hardly any sent traffic for any host with the exception of our Exchange server which is obviously sending mail to the outside world. My firewall is a Cisco PIX and I have read the configuration guidelines relating to the PIX and have configured it appropriately. I have added both our internal subnets and DMZ subnets in the Intranet Settings.
As far as I am concerned there is definitely something amiss since I have tested FTP'ing a 4MB file to an external (internet) FTP server and my host still doesnt show up as having sent anything. The sent data seems to be represented as received data (alongside other peoples web usage stats) even though I am in fact sending to the Internet. I have read some of the notes and forum topics about strange sent/received data but I havent seen an adequate answer to the problem as it relates to my environment.
If this is due to a limitation in how Firewall Analyzer can interpret and decode Cisco PIX syslog messages then I am afraid that this will be a show stopper for me and I will have to investigate other solutions. I would desperately love to have someone tell me that this is not the case though since I think this could be a really good tool for us. Can anyone help explain what is going on here and if there is some configuration that I am missing? I have attached some screenshots, sorry about the dodgy labels..
Luke
Basically, the UI displays hardly any sent traffic for any host with the exception of our Exchange server which is obviously sending mail to the outside world. My firewall is a Cisco PIX and I have read the configuration guidelines relating to the PIX and have configured it appropriately. I have added both our internal subnets and DMZ subnets in the Intranet Settings.
As far as I am concerned there is definitely something amiss since I have tested FTP'ing a 4MB file to an external (internet) FTP server and my host still doesnt show up as having sent anything. The sent data seems to be represented as received data (alongside other peoples web usage stats) even though I am in fact sending to the Internet. I have read some of the notes and forum topics about strange sent/received data but I havent seen an adequate answer to the problem as it relates to my environment.
If this is due to a limitation in how Firewall Analyzer can interpret and decode Cisco PIX syslog messages then I am afraid that this will be a show stopper for me and I will have to investigate other solutions. I would desperately love to have someone tell me that this is not the case though since I think this could be a really good tool for us. Can anyone help explain what is going on here and if there is some configuration that I am missing? I have attached some screenshots, sorry about the dodgy labels..
Luke